Towards an Algebraic Attack on AES-128 Faster Than Brute-Force (original) (raw)
Related papers
Algebraic Cryptanalysis of Simplified AES∗
Cryptologia, 2009
Simplified AES was developed in 2003 as a teaching tool to help students understand AES. It was designed so that the two primary attacks on symmetric-key block ciphers of that time, differential cryptanalysis and linear cryptanalysis, are not trivial on simplified AES. Algebraic cryptanalysis is a technique that uses modern equation solvers to attack cryptographic algorithms. There have been some claims that AES is threatened by algebraic cryptanalysis. We will use algebraic cryptanalysis to attack simplified AES.
Improved algebraic side-channel attack on AES
2012
In this paper we present improvements of the algebraic side-channel analysis of the Advanced Encryption Standard (AES) proposed in [1]. In particular, we optimize the algebraic representation of AES and the algebraic representation of the obtained side-channel information in order to speed up the attack and increase the success rate. We study the performance of our improvements in both known and unknown plaintext/ciphertext attack scenarios. Our experiments indicate that in both cases the amount of required side-channel information is less than the one required in the attacks introduced in [1]. Furthermore, we introduce a method for error handling, which allows our improved algebraic side-channel attack to escape the assumption of an error-free environment and thus become applicable in practice. We demonstrate the practical use of our improved algebraic side-channel attack by inserting predictions from a single-trace template attack.
On selection of samples in algebraic attacks and a new technique to find hidden low degree equations
International Journal of Information Security, 2015
The best way of selecting samples in algebraic attacks against block ciphers is not well explored and understood. We introduce a simple strategy for selecting the plaintexts and demonstrate its strength by breaking reducedround KATAN32, LBlock and SIMON. For each case, we present a practical attack on reduced round version which outperforms previous attempts of algebraic cryptanalysis whose complexities were close to exhaustive search. The attack is based on the selection of samples using cube attack and ElimLin which was presented at FSE'12, and a new technique called Universal Proning. In the case of LBlock, we break 10 out of 32 rounds. In KATAN32, we break 78 out of 254 rounds. Unlike previous attempts which break smaller number of rounds, we do not guess any bit of the key and we only use structural properties of the cipher to be able to break a higher number of rounds with much lower complexity. We show that cube attacks owe their success to the same properties and therefore, can be used as a heuristic for selecting the samples in an algebraic attack. The performance of ElimLin is further enhanced by the new Universal Proning technique, which allows
Algebraic Cryptanalysis of the Data Encryption Standard
Proceedings of the 11th IMA international …, 2007
In spite of growing importance of AES, the Data Encryption Standard is by no means obsolete. DES has never been broken from the practical point of view. The triple DES is believed very secure, is widely used, especially in the financial sector, and should remain so for many many years to come. In addition, some doubts have been risen whether its replacement AES is secure, given the extreme level of "algebraic vulnerability" of the AES S-boxes (their low I/O degree and exceptionally large number of quadratic I/O equations). Is DES secure from the point of view of algebraic cryptanalysis, a new very fast-growing area of research? We do not really hope to break it, but just to advance the field of cryptanalysis. At a first glance, DES seems to be a very poor target-as there is (apparently) no strong algebraic structure of any kind in DES. However in [14] it was shown that "small" S-boxes always have a low I/O degree (cubic for DES as we show below). In addition, due to their low gate count requirements, by introducing additional variables, we can always get an extremely sparse system of quadratic equations. To assess the algebraic vulnerabilities is the easy part, that may appear unproductive. In this paper we demonstrate that in this way, several interesting attacks on a real-life "industrial" block cipher can be found. One of our attack is the fastest known algebraic attack on 6 rounds of DES. Yet, it requires only one single known plaintext (instead of a very large quantity) which is quite interesting in itself. Though (on a PC) we recover the key for only six rounds, in a much weaker sense we can also attack 12 rounds of DES. These results are very interesting because DES is known to be a very robust cipher, and our methods are very generic. They can be applied to DES with modified S-boxes and potentially other reduced-round block ciphers.
An Improvement of Linearization-Based Algebraic Attacks
Lecture Notes in Computer Science, 2011
In an algebraic attack on a cipher, one expresses the encryption function as a system (usually overdefined) of multivariate polynomial equations in the bits of the plaintext, the ciphertext and the key, and subsequently solves the system for the unknown key bits from the knowledge of one or more plaintext/ciphertext pairs. The standard eXtended Linearization algorithm (XL) expands the initial system of equations by monomial multiplications. The expanded system is treated as a linear system in the monomials. For most block ciphers (like the Advanced Encryption Standard (AES)), the size of the linearized system turns out to be very large, and consequently, the complexity to solve the system often exceeds the complexity of brute-force search. In this paper, we propose a heuristic strategy XL SGE to reduce the number of linearized equations. This reduction is achieved by applying structured Gaussian elimination before each stage of monomial multiplication. Experimentation on small random systems indicates that XL SGE has the potential to improve the performance of the XL algorithm in terms of the size of the final solvable system. This performance gain is exhibited by our heuristic also in the case of a toy version of AES.
Comparative Study of Algebraic Attacks
IARJSET, 2016
Cryptographic schemes have an algebraic structure and can be described as multivariate polynomial equations. Even though algebra is the default tool in the cryptanalysis of asymmetric cryptosystems, there has been recently an increase in interest in the use of algebraic cryptanalysis techniques in the analysis of symmetric cryptosystems. The basic idea behind the algebraic attack is to express the whole cryptosystem as a large system of multivariate polynomial equations, then considers methods for solving the system to recover the key. Solving multivariate polynomial systems is a typical problem studied in Algebraic Geometry and Computational Algebra. Computing Grobner basis is the best well known method to solve this problem. Finding grobner bases is a difficult task which requires lots of computational resources. This paper discusses and explains in depth different algorithms to compute grobner bases using examples. This paper also, compares these algorithms from the point of views of accuracy and efficiency (the required resources: time and effort) to get the accurate results. Finally, the worthiness of these algorithms to be applied to cryptanalysis has been discussed.
CTC2 and Fast Algebraic Attacks on Block Ciphers Revisited
The cipher CTC (Courtois Toy Cipher) described in (4) has been designed to demonstrate that it is possible to break on a PC a block cipher with good diusion and very small number of known (or chosen) plaintexts. It has however never been designed to withstand all known attacks on block ciphers and Dunkelman and Keller have shown (13) that a few bits of the key can be recovered by Linear Cryptanalysis (LC) - which cannot however compromise the security of a large key. This weakness can easily be avoided: in this paper we give a specification of CTC2, a tweaked version of CTC. The new cipher is MUCH more secure than CTC against LC and the key scheduling of CTC has been extended to use any key size, independently from the block size. Otherwise, there is little dierence between CTC and CTC2. We will show that up to 10 rounds of CTC2 can be broken by simple algebraic attacks.
Computational and Algebraic Aspects of the Advanced Encryption Standard
The new Advanced Encryption Standard (AES) has been recently selected by the US government to replace the old Data Encryption Standard (DES) for protecting sensitive official information. Due to its simplicity and elegant algebraic structure, the choice of the AES algorithm has motivated the study of a new approach to the analysis of block ciphers. While conventional methods of cryptanalysis (e.g. differential and linear cryptanalysis) are usually based on a "statistical" approach, where an attacker attempts to construct statistical patterns through many interactions of the cipher, the so-called algebraic attacks exploit the intrinsic algebraic structure of a cipher. More specifically, the attacker expresses the encryption transformation as a set of multivariate polynomial equations and attempts to recover the encryption key by solving the system. In this paper we consider a number of algebraic aspects of the AES, and examine a few computational and algebraic techniques that could be used in the cryptanalysis of cipher. We show how one can express the cipher as a very large, though surprisingly simple, system of multivariate quadratic equations over the finite field F 2 8 , and consider some approaches that can be used to solve this system.
Algebraic Side-Channel Attacks on the AES: Why Time also Matters in DPA
Lecture Notes in Computer Science, 2009
Algebraic side-channel attacks have been recently introduced as a powerful cryptanalysis technique against block ciphers. These attacks represent both a target algorithm and its physical information leakages as an overdefined system of equations that the adversary tries to solve. They were first applied to PRESENT because of its simple algebraic structure. In this paper, we investigate the extent to which they can be exploited against the AES Rijndael and discuss their practical specificities. We show experimentally that most of the intuitions that hold for PRESENT can also be observed for an unprotected implementation of Rijndael in an 8-bit controller. Namely, algebraic side-channel attacks can recover the AES master key with the observation of a single encrypted plaintext and they easily deal with unknown plaintexts/ciphertexts in this context. Because these attacks can take advantage of the physical information corresponding to all the cipher rounds, they imply that one cannot trade speed for code size (or gate count) without affecting the physical security of a leaking device. In other words, more intermediate computations inevitably leads to more exploitable leakages. We analyze the consequences of this observation on two different masking schemes and discuss its impact on other countermeasures. Our results exhibit that algebraic techniques lead to a new understanding of implementation weaknesses that is different than classical side-channel attacks.